The present invention relates to a method and system for securely proving ownership of pseudonymous or anonymous electronic credentials. A credential system is described consisting of users and organizations. An organization knows a user only by a pseudonym. The pseudonyms of the same user, established...http://www.google.com/patents/US7360080?utm_source=gb-gplus-sharePatent US7360080 - Non-transferable anonymous credential system with optional anonymity revocation

The present invention relates to a method and system for securely proving ownership of pseudonymous or anonymous electronic credentials. A credential system is described consisting of users and organizations. An organization knows a user only by a pseudonym. The pseudonyms of the same user, established for use with different organizations, cannot be linked. An organization can issue a credential to a pseudonym, and the corresponding user can prove possession of this credential to another organization that knows him under another pseudonym. During the prove of possession of the credential nothing besides the fact that he owns such a credential is revealed. A refinement of the credential system provides credentials for unlimited use, so called multiple-show credentials, and credentials for one-time use, so called one-show credentials.

Images(2)

Claims(19)

1. A method for establishing a pseudonym system by having a certificate authority accepting a user as a new participant in said pseudonym system, the method comprising the steps of:

receiving a first public key provided by said user;

verifying that said user is allowed to join the system;

computing a credential by signing the first public key using a secret key owned by said certificate authority; and

publishing said first public key and said credential,

wherein

the step of receiving a first public key further includes receiving an external public key being registered for said user with an external public key infrastructure and receiving an encryption of a secret key encrypted by using said first public key;

the step of verifying that said user is allowed to join the system further includes verifying that said external public key is indeed registered with said external public key infrastructure;

the step of publishing said first public key and said credential comprises publishing said encryption and the name of the external public key infrastructure; and

additionally comprises the step of proving that the secret key corresponding to said external public key is encrypted in said received encryption.

2. The method according to claim 1, wherein

said first public key of the user is derived from at least one first secret key composed by the user.

3. The method according to claim 2, wherein

the step of receiving a first public key derived from a first secret key further comprises receiving a second public key which is derived from a second and a third secret key composed by the user; and

the step of computing a credential by signing the first public key using a secret key owned by said certificate authority further comprises computing a credential by signing the second public key using said secret key owned by said certificate authority.

4. A computer program product stored on a computer usable medium, comprising computer readable program means for executing the method in claim 1 by a computer.

5. A method for establishing a pseudonym system by having an organization register a user, the method comprising the steps of:

receiving a first public key provided by said user;

receiving a first encryption encrypted by using said first public key;

proving that an existing public key is registered for said user with another organization of said pseudonym system and proving that the secret key corresponding to said existing public key is encrypted in said received first encryption;

publishing said first public key, said first encryption and the name of said other organization.

6. The method according to claim 5, wherein

proving that an existing public key is registered for said user with said other organization of said pseudonym system and proving that the secret key corresponding to said existing public key is encrypted in said received first encryption includes proving possession of a credential issued by said organization of said existing public key.

7. The method according to claim 6, wherein

the step of receiving a first encryption encrypted by using said first public key further comprises receiving a second encryption encrypted by using said existing public key;

the step of proving that the secret key corresponding to said existing public key is encrypted in said received first encryption further comprises proving that the secret key corresponding to said first public key is encrypted in said received second encryption; and

the step of publishing said first public key, said first encryption, and the name of said other organization further comprises publishing said second encryption.

8. The method according to claim 7, wherein

the step of receiving a first encryption encrypted by using said first public key further comprises receiving a third encryption encrypted by using a public key published by a revocation manager; and

the step of proving that the secret key corresponding to said existing public key is encrypted in said received first encryption further comprises proving that said existing public key is encrypted in said received third encryption.

9. The method according to claim 8, wherein

the first public key of the user is derived from at least two secret keys composed by the user.

10. The method according to claim 9, wherein

the step of proving that the secret key corresponding to said first public key is encrypted in said received second encryption includes proving that all of said at least two secret keys corresponding to said first public key are encrypted in said second encryption.

11. The method according to claim 10, further comprising a step of

proving that the first public key is derived from at least two secret keys and proving that one of the secret keys is identical to one of the secret keys used to derive another public key from which the user claims it is registered with another organization.

12. The method according to claim 11, wherein

the existing public key of the user is derived from at least two secret keys composed by the user.

13. The method according to claim 12, wherein

the step of proving that the secret key corresponding to said existing public key is encrypted in said received first encryption includes proving that all of said at least two secret keys corresponding to said existing public key are encrypted in said first encryption.

14. The method according to claim 13, further comprising the steps of

receiving a third public key provided by said user;

proving that one secret key used to derive said third public key is identical to one secret key used to derive said existing public key from which the user claims it is registered with a specified organization.

15. The method according to claim 14, further comprising the step of:

computing a credential by signing the first public key using a secret key owned by said organization;

and wherein the step of publishing said first public key, said first encryption and the name of said other organization further comprises publishing said certificate.

16. The method according to claim 15, wherein

the step of receiving a first public key derived from a first secret key further comprises receiving a second public key which is derived from a second and a third secret key composed by the user; and

the step of computing a credential by signing the first public key using a secret key owned by said certificate authority further comprises computing a credential by signing the first and second public key using said secret key owned by said certificate authority.

17. The method according to claim 5, further comprising the steps of:

receiving a request from an organization for revealing a pseudonym or the identity of the user;

judging whether it is justified to reveal the pseudonym or the identity of the user; and

sending the pseudonym or the identity of the user to the requesting organization, in case that this is justified.

18. A method for having a verifier checking possession of a credential by a user issued by a specified organization, the method comprising the steps of:

proving that an existing public key is registered for said user with said specified organization of said pseudonym system,

receiving a third encryption encrypted by using a public key published by a revocation manager; and

proving that said existing public key is encrypted in said received third encryption,

wherein the step of proving that an existing public key is registered for said user with said specified organization of said pseudonym system includes proving possession of a credential issued by said organization of said existing public key.

19. The method according to claim 18, further comprising the steps of:

receiving a third public key provided by said user;

proving that one secret key used to derive said third public key is identical to one secret key used to derive said existing public key from which the user claims it is registered with said specified organization.

Description

BACKGROUND OF THE INVENTION

1. Field of the Invention

The present invention relates to the field of computer network management, it specifically concerns a method and a technical implementation for secure data exchange over a computer network. More particularly, the present invention relates to a method and system for securely proving ownership of pseudonymous or anonymous electronic credentials.

2. Description of the Related Art

Since the mid 1990s one of the most rapidly growing retail sectors is referred to as electronic commerce. Electronic commerce involves the use of the Internet and proprietary networks to facilitate business-to-business, consumer, and auction sales of everything imaginable, from computers and electronics to books, recordings, automobiles, and real estate. In such an environment consumer privacy is becoming a major concern.

However, the mere fact that electronic commerce is conducted over an existing open network infrastructure such as the Internet runs counter to the privacy of the consumer. Often, there are legitimate reasons for a party to remain anonymous.

OBJECT OF THE INVENTION

Starting from this, the object of the present invention is to provide a method and a system for securely proving ownership of pseudonymous or anonymous electronic credentials, wherein a party that proves its ownership of the credential can stay anonymous, i.e., that does not need to reveal its identity.

BRIEF SUMMARY OF THE INVENTION

The foregoing object is achieved by a method and a system as laid out in the independent claims. Further advantageous embodiments of the present invention are described in the sub claims and are taught in the following description.

In the independent claims the same invention, and more particularly, the same system is described having closely related methods. First a user has to join the whole system. Then, the user is able to establish more connections to different organizations, which are also belonging to the system. Finally, the user is able to show respective credentials, which the user gathered before to a verifier (or further organizations). Hence, all such methods realising a single system which is based on the present invention.

As the collection and exploitation of secret information become more of a concern, users are less willing to give out information, and may want to conduct transactions under a pseudonym or anonymously. For example, a user in a pseudonymous or anonymous transaction may receive a credential stating that, e.g., he made a payment for a newspaper subscription. The user might want to use the credential at a later point in time or several times in the future to prove that the particular transaction took place, e.g., that the user is entitled to read articles in the newspaper.

The method and system for proving ownership of an electronic credential in accordance with the present invention is to be used in a communication system providing a public key encryption infrastructure. That is a system of public key encryption using digital certificates from certificate authorities and other registration authorities that verify and authenticate the validity of each party involved in an electronic transaction. The certificate authority, also called “Trusted Third Party”, is an entity, typically a company, that issues digital certificates to other entities like organizations or individuals to allow them to prove their identity to others. The certificate authority might be an external company that offers digital certificate services or it might be an internal organization such as a corporate MIS (Management Information System) department. The Certificate Authority's chief function is to verify the identity of entities and issue digital certificates attesting to that identity.

In comparison, public key encryption is an encryption scheme, where each person gets a pair of keys, called the public key and the secret key. Each person's public key is published while the secret key is kept secret. Messages are encrypted using the intended recipient's public key and can only be decrypted using his secret key. This is mechanism can also be used for or in conjunction with a digital signature.

The digital signature is formed by extra data appended to a message which identifies and authenticates the sender and message data using public-key encryption. The sender uses a one-way hash function to generate a hash-code of, for example, 160 bits from the message data. He then encrypts the hash-code with his secret key. The receiver computes the hash-code from the data as well and decrypts the received hash with the sender's public key. If the two hash-codes are equal, the receiver can be sure that data has not been corrupted and that it came from the given sender.

The need for sender and receiver to share secret information, e.g., keys, via some secure channel is eliminated, since all communications involve only public keys, and no secret key is ever transmitted or shared. Public-key encryption can be used for authentication, confidentiality, integrity and non-repudiation. RSA encryption is an example of a public-key cryptography system.

The one-way hash function, also called “message digest function”, used for the digital signature is a function which takes a variable-length message and produces a fixed-length hash. Given the hash it is computationally impossible to find a message with that hash. In fact, one cannot determine any usable information about a message with that hash, not even a single bit. For some one-way hash functions it is also computationally impossible to determine two messages which produce the same hash. A one-way hash function can be secret or public, just like an encryption function. A public one-way hash function can be used to speed up a public-key digital signature system. Rather than signing a long message which can take a long time, the one-way hash of the message is computed, and the hash is digitally signed.

A new credential system is described consisting of users and organizations. An organization knows a user only by a pseudonym. The pseudonyms of the same user, established for use with different organizations, cannot be linked. An organization can issue a credential to a pseudonym, and the corresponding user can prove possession of this credential to another organization that knows him under another pseudonym. During the prove of possession of the credential nothing besides the fact that he owns such a credential is revealed. In a refinement of the credential system there are credentials for unlimited use, so called multiple-show credentials, and credentials for one-time use, so called one-show credentials.

The method and system according to the present invention works as follows. In order to establish a pseudonym system a certificate authority accepts a user as a new participant in the pseudonym system by initially receiving a first public key provided by said user and an external public key being registered for said user with an external public key infrastructure. Then, the certificate authority verifies that the external public key is indeed registered with said external public key infrastructure. If this is the case the certificate authority receives an encryption of a secret key encrypted by using said first public key and proves that the secret key corresponding to said external public key is encrypted in said received encryption. Then, it computes a credential by signing the first public key using a secret key owned by said certificate authority and, finally, the certificate authority publishes the first public key, the certificate, the encryption and the name of the external public key infrastructure.

In a second aspect of the present invention to establishing a pseudonym system a user needs to get registered with an organization. To do so, the organization receives a first public key provided by said user and a first encryption of a first secret key encrypted by using said first public key. Then, it proves that an existing public key is registered for said user with said other organization of said pseudonym system and that the secret key corresponding to said existing public key is encrypted in said received first encryption. Then, the organization computes a credential by signing the first public key using a secret key owned by said organization and publishes the first public key, the certificate, the first encryption and the name of the other organization.

According to a third aspect of the present invention a verifier validates a credential shown by a user, whereby the credential is formed by a public key which is registered with a specified organization. Initially, the verifier receives a first public key provided by the user and an existing public key being registered for said user with the aforementioned organization. Then, the verifier verifies that the existing public key is indeed registered with said organization and receives a first encryption of a first secret key encrypted by using the first public key. Finally, the verifier proves that the secret key corresponding to the existing public key is encrypted in the received first encryption.

The present invention can be realized in hardware, software, or a combination of hardware and software. Any kind of computer system—or other apparatus adapted for carrying out the methods described herein—is suited. A typical combination of hardware and software could be a general purpose computer system with a computer program that, when being loaded and executed, controls the computer system such that it carries out the methods described herein. The present invention can also be embedded in a computer program product, which comprises all the features enabling the implementation of the methods described herein, and which—when loaded in a computer system—is able to carry out these methods.

Computer program means or computer program in the present context mean any expression, in any language, code or notation, of a set of instructions intended to cause a system having an information processing capability to perform a particular function either directly or after either or both of the following a) conversion to another language, code or notation; b) reproduction in a different material form.

BRIEF DESCRIPTION OF THE DRAWINGS

The above, as well as additional objectives, features and advantages of the present invention, will be apparent in the following detailed written description.

The novel features of the invention are set forth in the appended claims. The invention itself, however, as well as a preferred mode of use, further objectives, and advantages thereof, will best be understood by reference to the following detailed description of an illustrative embodiment when read in conjunction with the accompanying drawing, wherein:

FIG. 1 shows a general layout of a pseudonym system according to the present invention.

DETAILED DESCRIPTION OF THE INVENTION

With reference to FIG. 1, there is depicted a general layout of a pseudonym system according to the present invention. Within the pseudonym system there are five organizations, a certificate authority CA, an organization being able to issue a driver's license DrLi, an insurance company for normal cars Ins, an insurance company for sports cars Spins and a car rental organization CarRO. Furthermore, the pseudonym system includes two verifiers, a car rental agency CR and a sports car rental agency SR.

An arrow from X to Y means that the user showed to entity Y a credential issued to him by entity X. The dashed line groups organizations that trust each other to check various credentials properly. In the shown example of a pseudonym system a user is enabled to obtain a driver's license through organization DL, a car insurance through organization Ins, a sports car insurance through Spins, and access to a car rental through the car rental organization CarRO. The access to car rental is as follows.

The user first registers with the car rental organization CarRO which verifies that he is a valid user (has got a CA-credential) and has got a car-insurance (has an Ins-credential). In the given scenario the car rental organization does not need to worry whether or not the user has got a driver's license since the respective insurance is responsible and liable for that. Now, if the user wants to rent an ordinary car, he goes to the car rental agency CR which functions as a verifier and proves that he owns a credential from the car rental organizationCarRO. After he has proven that he owns the respective credential he will get a car.

However, if the user would like to rent a sports car, he goes to the sports car agency SR. There he shows that he owns not only a credential from the car rental organization CarRO but also from the sports car insurance Spins, i.e., that he has a special insurance for sports cars.

None of the credentials reveal any information about the user's real identity or pseudonym. However, the showing of credentials can be carried out in such a way that a designated revocation manager can later find the user's identity and/or pseudonyms. For instance, in case the user has a non-criminal car accident, the revocation manager reveals the pseudonym the user has with the corresponding insurance company and the cost of his insurance will go up. Whereas, if he has a criminal accident, then the revocation manager also reveals his real identity for further prosecution.

In the following all methods needed for the above scenario are described in greater detail.

Let {0, 1}* denote the set of all binary strings.

Computational problems are often modeled as decision problems: decide whether a given xε {0, 1}* belongs to a language L ⊂ {0, 1}*. P is the class of languages for which this can be decided in polynomial time. NP is the class of problems for which the decision whether x belongs to L can be verified in polynomial time when provided a credential (or witness) of this fact. Clearly P ⊂ NP.

Let R ⊂ {0, 1}*×{0, 1}* be a boolean relation. We say that R is “polynomially bounded” if there exists a polynomial p(·) such that |w|≦p(|x|) holds for all (x, w) ε R. Furthermore, R is an NP-relation if it is polynomially bounded and if there exists a polynomial-time algorithm for deciding membership of pairs (x, w) in R. Finally,
LR={x|∃w such that (x, w)εR}
is the language defined by R.

A language L is in NP if there exists an NP-relation RL ⊂ {0, 1}*×{0, 1}* such that xε L if and only if there exists a w such that (x, w)εRL. Such a w is called a witness of the membership of x in L. The set of all witnesses of x is denoted as RL(x).

It is known that for any NP-relation R, there exits a so-called proof of knowledge. Such a proof is a protocol between a prover and a verifier which allows the prover to convince the verifier that for some given value y he knows a value w such (w, y) is contained in R. The protocol has the additional property although the verifier knows y, she does not get any information about w other than that such a value exists and that the prover knows it. Realization of such protocols for any relation R are described in Brassard et al. (G. Brassard, D. Chaum, and C. Crépeau. Minimum disclosure proofs of knowledge. Journal of Computer and System Sciences, 37(2):156-189, October 1988, or Boyar et al. J. Boyar, I. Damgaard, and R. Peralta; Short non-interactive cryptographic proofs; Journal of Cryptology, 13(4):449-472, October 2000). We will denote these methods as
PK{(α):(α, y)εR},
where Greek letters stand for the values the prover shows knowledge of and that the verifier does not learn whereas she learns all other parameters. Finally, (α, y) ε R is the statement that is proven, or, in other words, the conditions that the (secret) values the prover knows satisfy.

There exists also non-interactive variants of these protocols. They can be obtained from the interactive protocol using the so-called Fiat-Shamir heuristic (A. Fiat and A. Shamir; How to prove yourself: Practical solution to identification and signature problems; In A. M. Odlyzko, editor, Advances in Cryptology—CRYPTO '86, volume 263 of Lecture Notes in Computer Science, pages 186-194; Springer Verlag, 1987). The resulting protocol can also be seen as a digital signature. We denote them
SPK{(α):(α, y)εR}(m),
where SPK stands for signature based on a proof of knowledge, and m is the message that gets signed.

Let Enc and Dec denote the encryption and decryption algorithm of some public key encryption scheme. Let P be a public key of such a scheme and S be the corresponding secret key. Then e=EncP(m) means that e is the encryption of some message m under public key P. Similarly, d=DecS(e) means that d is the decryption of e using the secret key S, where d=m if e is a valid encryption of m under P. If Enc is a probabilistic algorithm, then we write e=EncP(m, r), where r contains all the random choices to be made, i.e., EncP(., .) becomes a deterministic algorithm.

Let Sig and Ver denote signature generation and verification algorithm of some public key signature scheme. The algorithm Sig takes the secret key xs and a message m as input and outputs a signature σ of m. On input of a message m, a signature σ, and the public key ys of a signer, the the algorithm Ver outputs true or false. The following must be satisfied.

Ver(m,σ,ys)={trueifProb(σ=Sig(m,xs))>0falseotherwise
Furthermore, a signature scheme must be unforgeable. This means that is must be infeasible to compute a signature of a message with respect to a public key without knowing the corresponding secret key.

a certification authority O0=CA, organizations O1, O2, . . . , and a user U. Let PCA, PO1, and PO2 denote the respective public keys of the first three parties of some signature schemes and SCA, SO1, and SO2 denote the respective secret keys.

For all protocols we assume that it is aborted as soon as some verification or check fails.

Let PUPKI be use U's public key she has registered with an external PKI and let SUPKI denote the corresponding secret key.

Let ƒx: {0, 1}*→{0, 1}* denote the (one-way) function that relates secret and public keys a users chooses with organization X. For instance, PUPKI=ƒPKI(SUPKI) This function is part of the public key of X.

In the following the public key PUOj a user has established with some organization Oj is considered the pseudonym of user U with Oj. In practice, PUOj might serve as key to a database where Oj stores information it has collected about U.

Furthermore, in the following the term “showing of a credential” is used somewhat misleading to actually mean that the user proves possession of a credential. In particular, the user never reveals the credential itself to the party he proves possession (or “shows”) of it.

The following first method describes how a new user enters the pseudonym system, i.e., registering with the CA.

3. CA verifies that PUPKI is indeed registered with the external PKI. (Depending on the actual use of the pseudonym system, the CA might have to check also thing other than his identity, whether he has sufficient income, sufficient assurance.)

5. U proves the CA that the secret key corresponding to PUPKI is encrypted in e1CA under the public key PUCA. More formally, U proves the CA the following
PK{(α, β): PUPKI=ƒPKI(α) Λe1CA=EncPUCA(α, β)}.

The following second method shows how a user registers with an organization Oi and obtains a Credential from said organisation Oi, whereby i>1, i.e., it covers all cases except of the initial registering with the CA as described above.

2. Depending on the requirements of Oi, U has to prove to Oi that U possesses credentials by various organizations (including CA). Assume that U has to prove Oi the possession of a credential by Oj. If Oi requires U to prove the possession of credentials from other organizations as well, then following steps are repeated for each of these organizations/credentials.

(b) U proves to Oi that it established a public key with Oj, that the corresponding secret key is encrypted in e1(Oi, Oj) under the public key PUOi, and that U owns a credential by Oj (w.r.t. the public key U established with Oj). More formally, U proves Oi the following
PK{(α, β, γ, δ):α=ƒOj(β)Λe1(Oi,O)=EncPUOi(β, γ)Λ1=V er(α, δ, POj)}

4. Oi publishes the triple (PUOi, cUOi, e1(Oi, Oj), Oj) for al Oj for which it asked for the possession of credentials of.

It should be noted that all the steps of this protocol can be in fact executed at different times (as long as the order is kept). If this is done, then U has to send Oi the public key PUOi before each of the steps to let Oi resynchronize. Example: first step 1 is executed followed by step 2; At some later time, U sends Oi PUOi again and they execute step 2 again, this time for credentials from different organization(s); finally step 3 is executed.

The encryptions e1(Oi, Oj) ensure non-transferability: this is because in order to transfer a credential to another user U′, user U needs to reveal SUOi. Knowing this value, U′ can compute PUOi, lookup e1Oi, Oj, decrypt it, and obtain SUOj. Repeating this process, U will finally be able to decrypt e1CA and obtain the valuable external secret key of U.

The triple (PUOi, cUOi, e1(Oi, Oj)) can either be published by the organizations themselves or centrally at one place for the hole pseudonym system, e.g., the CA could maintain such a list (ordered by PUOi).

Now, the same user shows a credential to a verifier V according to the following third method. In this method “multiple show” of the credential is possible.

In order to get access to some service, U has to show possession of a credential by the organization the verifier (service provider) V is associated with. Assume that U has to prove V the possession of a credential by Oj.

1. U proves to V that it established a public key with Oj, that U owns a credential by Oj on that public key, and that U actually knows the corresponding secret key. More formally, U proves V the following
PK{(α, β, δ):α=ƒOj(β) Λ1=V er(α, δ, POj)}
In case V requires that U proves possession of credentials from several organizations, then V has to be treated like an organization. That is U and V follow the second method (including the publishing of the encryptions), with the exception that V does not issue a credential, i.e., step 3 is not executed. Note that if this is done, U has established a public key (pseudonym) with V.

It has to be acknowledged that in order to be fully anonymous, each time U wants to access the service provided by V he needs to engage again in the above protocol or according to the second method without step 3.

This following describes the additions to the methods from above to achieve all-or-nothing transferability.

No changes have to be applied in order to enter the pseudonym system, i.e., to register with the CA.

In order to register with Oi and to obtaining a credential from Oi, i>1, the steps 2 and 4 of the second method need to be adapted. That is, step 2a and 2b are as follows.

2b′. U proves to Oi that it established a public key with Oj, that the corresponding secret key is encrypted in e1(Oi, Oj) under the public key PUOi, and that U owns a credential by Oj (w.r.t. the public key U established with Oj). Furthermore, U also proves that e2(Oi, Oj) is an encryption of the secret key corresponding to PUOi under the public key U has established with Oj. More formally, U proves Oi the following
PK{(α, β, γ, δ, ε, ν):α=ƒOj(β)Λe1Os i,Os j)=EncPUsi OPUi=ƒOj(ε) Λe2(Oi, Oj)=Encα(ε, ν)}
Furthermore, step 4 becomes

4′. Oi publishes the list (PUOi, cUOi, e1(Oi, Oj), e2( Oi, Oj), Oj) for all Oj for which it asked for the possession of credentials of.

The remark about publishing the encryption provided to Oi by U made above applies here as well.

The encryptions e1(Oi, Oj), e2(Oi, Oj) ensure non-transferability: recall that to transfer a credential to another user U′, user U needs to reveal SUOi. Knowing this value, U′ can compute PUOi lookup e1Oi, Oj, decrypt it, and obtain SUOj. Repeating this process, U will finally be able get SUCA, decrypt e1CA and obtain the valuable external secret key of U. Now, as U′ known SUCA, he can also decrypt all e2(Oi, CA) and get the secret keys U chose with any organization U had to prove possession of a credential by CA. Now, if U′ knows the secret key U chose with organization Oj and U needed to prove Oi, possession of a credential by Oj, user U′ can get e2(Oi, Oj), decrypt it, and learn the secret key U chose with Oi. Repeating these process, U′ will eventually get to know all secret keys user U chose and use all the credentials of user U. Thus, if a user transfers one credential to another user, he effectively transfers all of them.

No changes have to be applied to the third method in order to show a credential to a Verifier V under “multiple show”.

In another refinement the above methods provide all-or-nothing non-transferability.

To enter the pseudonym system and to register with the CA, the steps 4, 5, and 7 can be omitted.

In order to register with Oi and to obtain a credential from Oi, i>1, the same modification to the first method as previously explained have to be made.

The same method as before can be used to show a credential to a verifier V under “multiple show”.

In another refinement the above methods provide revokability. Local anonymity revocation means that whenever U proved possession of a credential by Oj to a party X, it is possible to some third party (revocation manager) to retrieve the pseudonym/public key U has established with Oj from the information X obtained from U.

In the following mR be the text stating under which conditions the anonymity shall be revoked. This text can be unique to each showing of a credential. Is it understood that whenever the revocation manager is asked for revocation he will not reveal the pseudonym if the conditions stated in mR are not met. For instance, if mR states that revocation requires that the person that proved the possession of a credential needs to be involved in some crime, then the revocation manager will not revoke the anonymity until the requesting party can convince the revocation manager that the user at hand was indeed involved in some crime (c.f. the car accident example). In order to add local revokability, one has to apply the following changes to the respective methods. Of course, local revokability can also be added after other features were added.

To allow local revokability, each organization has to nominate a revocation manager who generates a public and secret key of a non-malleable encryption scheme, i.e., the revocation manager Ri responsible for organization Oi generates SRi and PRi and publishes PRi.

Entering the pseudonym system and registering with the CA works without further changes to the respective protocol.

For registering with Oi and obtaining a credential from Oi, i>1, the step 2 has to be adapted. That is, steps 2a and 2b are as follows. Note that it can be decided separately for each execution of step 2 whether local revokability is required or not, i.e., whether the step is executed with the additions below, or not.

2b″. U proves to Oi that it established a public key with Oj, that the corresponding secret key is encrypted in e1(OiOj) under the public key PUOi, and that U owns a credential by Oj (w.r.t. the public key U established with Oj). Furthermore, U also proves that υ(Oi,Oj) is an encryption of the public key U has established with Oj under the Oj's revocation manager's public key PRj, More formally, U proves Oi the following
PK{(α, β, γ, δ, ε, ν): α=ƒOj(β) Λe1(OiOj)=EncPoi(β, γ) Λ1=V er(α, δ, POj) Λυ(Oi,Rj)=EncPRj(α∥mRυ)}
Note that here we assumed that U and Oi both trust the revocation manager Rj. However, it would also be possible that they agree upon a different revocation manager.

Showing a credential to a verifier V under “Multiple show” works as follows:

1″. U proves to V that it established a public key with Oj, that U owns a credential by Oj on that public key, and that U actually known the corresponding secret key.

Furthermore, U also proves V that υ(V,Ri) More formally, U proves V the following
PK{(α, β, δ, γ):α=ƒOj(β)Λ1=V er(α, δ, POj)Λυ(Oi,Rj)=EncPRi(α∥mR, γ)}
With respect to showing credential of several organizations the same remark applies as aforementioned.

Global revokability is very similar to local revokability. Global revokability means basically showing possession of a CA-credential with (local) revokability as described in the previous section because when the pseudonym under which a users is known to the CA is revealed, the CA can determine the user's real identity.

In case proving possession of a credential to a verifier V needs global revokability, a user U, need to show V not only the credential of the associated organization but also the one of the CA. Thus, U and V need to execute the second method (with the extensions of the previous section) up to where credential are granted. As mentioned earlier, instead of publishing the encryptions obtained from U during the protocol's execution, V could send them to its associated organization for publication.

Note: In practice, when requiring global revokability for proving possession of a credential to a verifier V, one would probably also want local revokability. If this is the case, it would be easier to just have local revokability for proving possession of a credential to a verifier V and then ask for global revokability when the U registers with the organization associated with V.

The methods as described above can be used as “multi-show” credentials. However, the methods can be refined in a way to function as “one-show” credentials. A one-show credential is credential such that when a users shows it more than once then these different showings can be linked. (Note that although these showing can be linked, the pseudonym associated with the credential is not revealed. Hence anonymity is maintained.)

One-show credentials can be implemented in a similar manner as multi-show credential, but by having some extra information revealed about the credential such that using the credential more than once can be detected. One method to implement them is that each organization X publishes a suitable one-way function {circumflex over (ƒ)}x(·). This function must have the property that, given {circumflex over (ƒ)}x(s) given ƒx(s′) it is hard to decide whether s=s′.

Issuing a one-show credential is not different from issuing ordinary credentials. Therefore, the protocol for entering the pseudonym system and registering with the CA remains unchanged. However, the CA needs of course to publish a function {circumflex over (ƒ)}CA as part of its public key and state that all credentials issued w.r.t. this public key are one-show credentials.

The step 2 of the second method has to be adapted to register with Oi and to obtaining a credential from Oi, i>1. That is, steps 2a and 2b are as follows. Note that it can be decided separately for each execution of step 2 whether local revokability is required or not, i.e., whether the step is executed with the additions below, or not.

2a′″. U chooses a random r, computes e1(Oi,Oj)=EncPUOi(SUOj,r) and {circumflex over (P)}UOj={circumflex over (ƒ)}Oj(SUOj), and sends e1Oj and {circumflex over (P)}UO3 to Oi.

2b′″. U proves to Oi that it established a public key with Oj, that the corresponding secret key is encrypted in e1(Oi,Oj) under the public key PUOi, and that U owns a credential by Oj (w.r.t. the public key U established with Oj). Furthermore, U also proves that the preimage of {circumflex over (P)}UOj under under {circumflex over (ƒ)}Oj is the secret key of the public key U has established with Oj. More formally, U proves Oi the following
PK{(α, β, γ, δ, ε, ν): α=ƒOj(β)Λe1(Oi,Oj)=EncPUOi(β, γ)Λ1=V er(α, δ, POj)Λ{circumflex over (P)}UOj={circumflex over (ƒ)}Oj(β)}

The organization Oi can now tell whether some user showed a credential twice by checking whether it has seen {circumflex over (P)}UOj before. This might for instance be the case is a user wants to register twice with the same organizations.

The third method for proving possession to a verifier needs to be adapted as follows for one-show credentials.

0′″. (new) U computes {circumflex over (P)}UOj={circumflex over (ƒ)}Oj(SUOj) and sends {circumflex over (P)}UOj to V.

1′″. U proves to V that it established a public key with Oj, that U owns a credential by Oj on that public key, and that U actually known the corresponding secret key. Furthermore, U also proves that the pre-image of {circumflex over (P)}UOj under {circumflex over (ƒ)}Oj is the secret key of the public key U has established with Oj. More formally, U proves V the following
PK{(α, β, δ, γ):α=ƒOj(β)Λ1=Ver(β, δ, POj)Λ{circumflex over (P)}UOj={circumflex over (ƒ)}Oj(β)}

The verifier V can now tell whether some user showed a credential twice by checking whether it has seen {circumflex over (P)}UOj before.

If a user wants or needs to obtain a second one-show credential from some organization, the two parties need of course to run the whole issuing protocol again, e.g., the user needs to chose a different PUOj.

We can of course combine one-show credentials with the local and global revocation mechanism described above.

In principle a one-show certificate can also be used as a multi-show credential as they are basically the same credential, only that some additional information is revealed if it should be one-show. It is up to the system, whether credentials issued by organization X are one-show only as soon some as the function {circle around (ƒ)}X is part of its public key. In practice, some policy stating when a credential is one-show and when multi-show would probably be part of the organizations' public keys.

A further refinement allows to have a build-in revocation. This kind of credentials are an extension of the one-show credentials described above in that provide build-in (local) revocation: if a users proves possession of the the same credential more than once (or, in general, k times), then his pseudonym with the issuing organization gets revealed directly, i.e., without the help of any revocation manager. However, if the users proves possession of the same credential only once (or less than k times), then the user remains anonymous. Note that this is different from the case where we have one-time credentials with local revocation. (In case the user is allowed prove possession of a credential up to k, these different showings are linkeable.)

In the following we describe the system such that showing a credential more than once reveals the user's identity. Similarly as described above, each organization X publishes two suitable one-way functions {circumflex over (ƒ)}X(·):{0, 1}*→{0, 1}* and {tilde over (ƒ)}X:{0, 1}* ×{0, 1}*→{0, 1}*. Furthermore, we require the function {tilde over (ƒ)}X to be homomorphic, i.e., that there are operations ★ and ⊕ such that {circumflex over (ƒ)}X(a)★{circumflex over (ƒ)}X(b)={circumflex over (ƒ)}X(a⊕b) holds for all a and b. This also defines “multiplication” with a scalar c:{circumflex over (ƒ)}X(c·a)={circumflex over (ƒ)}X(a)c. Furthermore, {circumflex over (ƒ)}X must have the property that, given {circumflex over (ƒ)}X(s1), {circumflex over (ƒ)}X(s2), {circumflex over (ƒ)}X(s3), ƒX(s′1), and {tilde over (ƒ)}X(s′2,s′3) it is hard to decide whether any of the relations s1=s′1, s2=s′2, and s3=s′3hold. (All these functions can be realized under the discrete logarithm or the RSA assumption.)

In the following the changes are described in case that the CA issues one-show credentials. Steps 1 and 6 of the first protocol needs to be modified as follows.

1″″. U chooses new (random) secret keys SUCA, {tilde over (S)}′UCA, {tilde over (S)}″UCA, computes the two public keys PUCA=ƒCA(SUCA) and {tilde over (P)}UCA={tilde over (ƒ)}CA({tilde over (S)}′UCA, {tilde over (S)}{tilde over (″)}UCA), and sends PUCA and {tilde over (P)}UCA to CA.

6″″. The CA computes the credential on PUCA, {tilde over (P)}UCA, i.e., computes cUCA=Sig(PUCA∥{tilde over (P)}UCA, PCA) and sends cUCA to U.

In the following, it is assumed (PUCA, {tilde over (P)}UCA) as being one public key, i.e., the one that user U has established with organization X.

Now, it is described how a one-show credential with build-in revocation is issued by organization Oi and we assume that Oi wants to see a one-show credential with build-in revocation issued by Oj. From this description is should be clear how to issue such a credential when requiring to see an ordinary credential (or a one-show credential without built-in revocation) as well as how to issue ordinary credentials (or a one-show credential without built-in revocation) when requiring to see a credential with build-in revocation. Almost all steps of the second method are adapted.

1″″. U chooses a new (random) secret keys SUOi, {tilde over (S)}′UOi, {tilde over (S)}{tilde over (″)}UOi, computes the two public keys PUOi=ƒOi(SUOi) and {tilde over (P)}UOi={tilde over (ƒ)}Oi({tilde over (S)}′UOi, {tilde over (S)}{tilde over (″)}UOi), and sends PUOi and {tilde over (P)}UOi to Oi.

2″″. Depending on the requirements of Oi, user U has to prove to Oi that U possesses credentials by various organizations (including CA). Assume that U has to prove Oi the possession of a one-show credential with built-in revocation by Oj. If Oi requires U to prove the possession of credential from other organizations as well, the following steps are repeated for each of these organizations/credentials.

(a) U chooses a random r, computes e1(Oi,Oj)=EncPUO2 (SUOj∥{tilde over (S)}′UOj∥{tilde over (S)}{tilde over (″)}UOi, r), {circumflex over (P)}{circumflex over (′)}UOj={circumflex over (ƒ)}Oj({tilde over (S)}′UOj), and {circumflex over (P)}{circumflex over (″)}UOj={circumflex over (ƒ)}Oj({tilde over (S)}{tilde over (″)}UOj), and sends e1Oj, {circumflex over (P)}{circumflex over (′)}UOj, and {circumflex over (P)}{circumflex over (″)}UOj to Oi.

(b) U proves to Oi that it established a public key with Oj, that the corresponding secret keys are encrypted in e1(Oi,Oj) under the public key PUOi, that the secret key of the second part of the public key established with Oj are the pre-images of {circumflex over (P)}{circumflex over (′)}UOj and {circumflex over (P)}{circumflex over (″)}UOj under {circumflex over (ƒ)}Oj, and that U owns a credential by Oj (w.r.t. the public keys U established with Oj). More formally, U proves Oi the following
PK{(α, β, γ, δ, ε, ξ, Φ):α=ƒOj(β)Λγ={tilde over (ƒ)}Oj(δ, ε)Λe1(Oi,Oj)=EncPUO(β∥δ∥ε, ξ)Λ1=Ver(α∥γ, Φ, POj)Λ{circumflex over (P)}{circumflex over (′)}UOj={circumflex over (ƒ)}Oj(δ)Λ{circumflex over (P)}{circumflex over (″)}UOj={circumflex over (ƒ)}Oj(ε)}

4″″. Oi publishes the list (PUOi, cUOi, e1(Oi,Oj), Oj) for all Oj for which it asked for the possession of credentials of.

When a users show the same credential more than once, Oi will with high probability have chosen different w's and hence U will have replied with different z's. Given two different pairs of w and z, one gets two linear equations with the user's secrets {tilde over (S)}′UOi and {tilde over (S)}{tilde over (″)}UOi as unknowns. These secrets can be retrieved by solving the equations and thus {tilde over (P)}UOi computed which will identify the user.

The third protocol for proving possession to a verifier needs to be adapted as follows for one-show credentials with built-in revocation.

0″″. (new) U computes {circumflex over (P)}′UOj={circumflex over (ƒ)}Oj({tilde over (S)}′UOj) {circumflex over (P)}″UOj={circumflex over (ƒ)}Oj({tilde over (S)}″UOj) and sends {circumflex over (P)}′UOj and {circumflex over (P)}″UOj to V.

1″″. U proves to V that it established a public key with Oj, that U owns a credential by Oj on that public key, and that U actually known the corresponding secret keys. Furthermore, U proves to V that the secret key of the second part of the public key established with Oi are the pre-images of {circumflex over (P)}{circumflex over (′)}UOj and {circumflex over (P)}{circumflex over (″)}UOj under {circumflex over (ƒ)}Oj. More formally, U proves V the following
PK}(α, β, γ, δ, ε, ξ, Φ):α=ƒOj(β)Λγ={tilde over (ƒ)}Oj(δ, ε)Λ1=Ver(α∥γ, Φ, POj)Λ{circumflex over (P)}{circumflex over (′)}UOj={circumflex over (ƒ)}Oj(δ)Λ{circumflex over (P)}{circumflex over (″)}UOj={circumflex over (ƒ)}Oj(ε)Λ}

The verifier V can now tell whether some user showed a credential twice by checking whether it has seen {circumflex over (P)}UOj before and if this was the case compute the user's pseudonym.

Allowing a user to prove possession of a pseudonym up to k times can be done by letting the user choose k+1 additional secret keys (now 2) and then provide the image of all these key under {circumflex over (ƒ)}X and prove the according statement in step 2b′″. The next steps of 2′″ would need to be adapted.

As described in this section proving possession of the same credential more than the allowed number of times reveals only some of the user's secret key of the respective pseudonym. However, the system could be modified such that all the user's secret key of the respective pseudonym get revealed. Depending on the mechanism chosen for the non-transferability, this would mean that also the user's external secret key or all the secret keys he choose within the system. This would presents quite a strong initiative for the user not to show a credential more than the allowed number of times.

It is acknowledged that the feature in described above can easily be combined with other features.

Now, it is explained how one-show credentials could be used and provide the changes to the methods as described above such that our system can by applied for these usages of one-show credentials.

One-show credentials can be used for several reasons.

First, it can be used for tracking the the usage of some credential, e.g., to detect when the same credential is used with any verifier or to detect when the same credential is used with the same verifier, i.e., uses of the same credential with different verifiers cannot be linked. Second, it can be used for allowing the user to use a credential only once. This can be realized with the methods having the one-show credential ability added to it. In order to track the usage of a user's credential, all data collected when some user proves possession of a credential by an organization, say Oj, needs to be send to some central place, e.g., organization Oj.

This can be realized with the methods having the one-show credential ability added with slight modifications applied. Now, showings of the same credential to different entities must no longer be linkeable. This can be achieved by using a different one-way function {circumflex over (ƒ)}X for each entity possession of the credential is proved to rather than that it is specific for the issuer of the credential. To assure that showings to different entity are indeed not linkeable, the functions {circumflex over (ƒ)}X must satisfy the following. Let {circumflex over (ƒ)}X1, . . . , {circumflex over (ƒ)}Xn be such functions chosen be the entities X1 through Xn and let Oj be the issuer of the credential. Then, given {circumflex over (ƒ)}X1(s1), . . . , {circumflex over (ƒ)}n(sn), and ƒOj(s′) it must be hard to decide whether s′=si for any i in 1, . . . , n and whether si=sk for any i and k≠i in 1, . . . , n.

In case a user is not allowed to show a credential more than once (or, in general k times), e.g., if the credential represent electronic money, there are two ways to prevent a user from doing so. Both ways have in common that a user stays fully anonymous if he shows a credential only once (or less than k times). Both these ways are also known “double-spending” prevention mechanisms in digital money schemes (e.g., S. Brands; An efficient off-line electronic cash system based on the representation problem; Technical Report CS-R9323, CWI, April 1993 and D. Chaum, A. Fiat, and M. Naor; Untraceable electronic cash; In S. Goldwasser, editor, Advances in Cryptology—CRYPTO '88, volume 403 of Lecture Notes in Computer Science, pages 319-327; Springer Verlag, 1990).

In an on-line use, some entity keeps track of whether a credential was used already or not. This entity could either be the organization that issued the credential or some independent central party (possibly a different one for each organization issuing credentials). For this, the method as described above for one-show credentials can be used, with the following modification to the methods 2 and 3: after the organization Oi, resp. the verifier V, have obtained {circumflex over (P)}UOj, they send it to the entity keeping track of whether a credentials has been used. If this entity finds {circumflex over (P)}UOj already in its database, it tells Oi, resp. V, that the credential was already used and is thus invalid (or, in general used more than the allowed number of times); otherwise it adds {circumflex over (P)}UOj to its database (and/or increases the related counter) and tells Oi, resp. V. Hence, Oi, resp. the verifier V will only accept the showing of a credential if the track-keeping entity says that the credential is still valid. Thus usage of a credential more than the allowed number of times is prevented. Note that the users' anonymity is still guaranteed.

In an off-line use, the usage of a credential more that the allowed number of times is not prevented but only detected. To disencourage users from over-using a credential, over-usage gets punished. For this the identity/pseudonym of a culprit must be known. However, the system should nevertheless protect innocent users. This can be achieved by using one-show credentials with build-in revocation as described in above. To detect the over-usage of a credential in cases it gets used with different verifiers/organizations, there needs to be an entity that collects all the transcripts of all showing these credentials similar as above, with the difference that now this entity needs not to be on-line during the showing credentials: it suffices if the verifiers/organizations sent the transcripts to this entity, e.g., once a day. Upon receiving this transcripts, this entity can check whether a credential was used more than the allowed number of times, and if this is the case, retrieve the culprits identity/pseudonym as described in above, and take according punishment measures.

In another refinement of the methods according to the present invention, the methods provide the ability to have a designated verifier. This is realized with a special kind of credentials having the property that a user can show these credentials only to a particular verifier. Moreover, the user cannot convince anyone else that the credential is valid.

For this to work, we need two things. First, each issuing organization published a homomorphic function {hacek over (ƒ)}X(•, •). Second, the designated verifier (a ordinary verifier V or an organization Oi) must have made available a public key of an homomorphic public key encryption scheme (e.g., P. Paillier, Public-key cryptosystems based on composite residuosity classes; in J. Stern, editor, Advances in Cryptology—EUROCRYPT '99, volume 1592 of Lecture Notes in Computer Science, pages 223-239; Springer Verlag, 1999).

Let EVi and DVi (resp, EOi and DOi) denote the public and secret keys of the verifier (resp., organization) of such an encryption scheme. Thus due to the homomorphic property we will have that, e.g., c=DecDV(EncEVi(a, r1)★EncEV(b, r2))=a⊕b. Furthermore, we require that the homomorphic property of this encryption scheme is “compatible” with the homomorphic property of function {hacek over (ƒ)}X( ). That is, for the above example, we require that {hacek over (ƒ)}X(c)={hacek over (ƒ)}X(a)★{hacek over (ƒ)}X(b).

Let Vk be the designated verifier (which could be an ordinary verifier or an organization). In order to enter the pseudonym system, Step 1 of the first method needs to be divided into several steps:

1′″″(a) U chooses new (random) secret keys SUCA and {hacek over (S)}UCA, computes {hacek over (P)}={hacek over (ƒ)}CA(SUCA, {hacek over (S)}UCA) and PUCA=ƒCA(SUCA), and sends {hacek over (P)} and PUCA to CA, and proves CA the following
PK{(α, β):PUCA=ƒCA(α)Λ{hacek over (P)}={hacek over (ƒ)}CA(α, β)}

(b) CA chooses a random {hacek over (S)} and an r, computes {hacek over (P)}UCA={hacek over (P)}★{hacek over (ƒ)}CA(0, {hacek over (S)}) and {hacek over (z)}U(CA,Vkx)=EncEVk({hacek over (S)},r), sends PUCA and {hacek over (z)}(CA,Vk) to U, and proves U the following
PK≡(α, β):{hacek over (P)}UCA={hacek over (P)}★{hacek over (ƒ)}CA(0, α)Λ{hacek over (z)}U(CA,Vk)=EncEVk(α, β)}.

At the end of the protocol, we have PUCA={hacek over (ƒ)}CA(SUCA, {hacek over (S)}UCA⊕S), where S is encrypted in {hacek over (z)}U(CA,Vk)=under the encryption public key of the verifier Vk. Thus U does not know the pre-image of {hacek over (P)}UCA under {hacek over (ƒ)}CA.

This section describes how a designated verifier credential is issued by organization Oi. We assume that Oi requires the possession of a a designated verifier credential issued by Oj, where Oi is the designated verifier. From this description is should be clear how to issue such credential when requiring another type of credential as well as how to issue other types of credentials when requiring a designated verifier credential.

Almost all steps of the second method have to be adapted.

1′″″. (a) U chooses new (random) secret keys SUOi and {hacek over (S)}UOi, computes {hacek over (P)}={hacek over (ƒ)}Oi(SUOi, {hacek over (S)}UOi) and PUOi=ƒOi(SUOi), sends {hacek over (P)} and PUOi to Oi, and proves Oi the following
PK{(α, β):PUOi=ƒOi(α)Λ{hacek over (P)}=ƒOi(α, β)}

(b) Oi chooses a random {hacek over (S)} and an r, computes {hacek over (P)}UOi=*{hacek over (P)}★{hacek over (ƒ)}Oi(0, {hacek over (S)}) and {hacek over (z)}U(Oi,Vk)=EncEVk({hacek over (S)}, r), sends PUOi and {hacek over (z)}U(Oi,Vk) to U, and proves U the following
PK{(α, β):{hacek over (P)}UOi={hacek over (P)}★{hacek over (ƒ)}Oi(0, α)Λ{hacek over (z)}U(Oi,Vk)=EncEVk(α, β)}.

2′″″. Depending on the requirements of Oi, user U has to prove to Oi that U possesses credentials by various organizations (including CA). Assume that U has to prove Oi the possession of a designated verifier credential by Oj. If Oi requires U to prove the possession of credential from other organizations as well, the following steps are repeated for each of these organizations/credentials.

(a) U chooses random S′, r1, r2, and computes z={hacek over (z)}U(Oj,Oi)★EncEOz(S′, r1S={hacek over (S)}UOj⊖S′, where ⊖ is defined as the inverse operation of ⊕. U also chooses a random r, computes e1(Oi,Oj)=EncPUOi(SUOj, r2), and sends z and e1Oj to Oi.

(b) U proves to Oi that it established a public key with Oj, that the corresponding secret keys are encrypted in e1(Oi,Oj) under the public key PUOi, and that U owns a credential by Oj (w.r.t. the public keys U established with Oj). More formally, U proves Oi the following
{tilde over (P)}{tilde over (K)}{(α, β, γ, δ, ε):α={hacek over (ƒ)}Oj(β, γ)Λe1(Oi,Oj)=EncPUOi(β, δ)Λ1=Ver(α, ε, POj) }

The above method is {tilde over (P)}{tilde over (K)} is not an ordinary proof of knowledge as all the other proofs considered so far because U does not know γ (see explanation below).

4′″″. Oi publishes the list (PUOj, cUOi, e1(Oi,Oj), Oj) for all Oj for which it asked for the possession of credentials of.

As already mentioned, the method {tilde over (P)}{tilde over (K)}{(α, β, γ, δ, ε):α={hacek over (ƒ)}Oj(β, γ)Λe1(Oi,Oj)=EncPUOi(β, δ)Λ1=Ver(α, ε, POj)} is not an ordinary proof of knowledge as described at the beginning. The reason is that the user does not known the value γ because this value is shared between the user and the designated verifier (here Oi): from decrypting z the designated verifier Oi knows a value, say si, such that {circumflex over (P)}UOj={hacek over (ƒ)}Oj(SOj, si⊕S), where S and SOj secrets known only to U. Therefore, Oi and U can only together execute the above proof which now becomes a “multi-party computation” where both U and Oi have secret inputs. The output of the computation will be 1 if and only if the secret inputs α, β, γ, δ, ε of the two parties satisfy α={hacek over (ƒ)}Oj(β, γ)Λe1(Oi,Oj)=EncPUOi(β, δ)Λ1=Ver(α, ε, POj). Technically, this can for instance be realized using techniques described in M. Ben-Or, S. Goldwasser, and A. Wigderson; Completeness theorems for non-cryptographic fault-tolerant distributed computation; In Proc. 20th Annual ACM Symposium on Theory of Computing (STOC), pages 1-10, 1988.

In order to allow the showing of a credential to a verifier V under “multiple-show” the third method is revised as follows:

0′″″. (new) U chooses random S′ and r, and computes z={hacek over (z)}U(Oj,V)★EncPV({hacek over (S)},r) and S={hacek over (S)}UOj⊖S′, where ⊖ is defined as the inverse operation of ⊕. U and sends z to V.

1′″″. U proves to V that it established a public key with Oj, and that U owns a designated verifier credential by Oj. More formally, U proves V the following
{tilde over (P)}{tilde over (K)}{(α, β, γ, δ):α={hacek over (ƒ)}Oj(β, γ)Λ1=Ver(α, δ, POj)}

With respect to the method {tilde over (P)}{tilde over (K)}{(α, β, γ, δ):α={hacek over (ƒ)}Oj(β, γ)Λ1=Ver(α, δ,POj)} the same remark as aforementioned applies.

The methods provided in section can easily be adapted such that a credential can be used for several designated verifiers. This can be achieved by having the issuing party encrypt their {hacek over (S)} for each of the designated verifiers. Thus the users would obtain a {hacek over (z)}U(Oi,Vk) for each of these verifiers.

Of course, all features can be added as well.

For some applications it might be necessary that issued credentials are consistent. That is if some friends that trust each other pool their credentials they might get some credentials they might not be able each individual might not be able to get otherwise. Whereas this is not a problem for, e.g., access to a database it is for credentials such as driver's licenses.

To enforce that credentials are consistent, we can require that a part of a user's secret remains the same for all pseudonym she generates. Thus the function ƒOi needs to take two arguments, i.e., ƒOi (•, •). Now, a user is required to prove that for all pseudonym of which she proves possession of the first argument to functions ƒOi are the same.

Steps 1 of the first method need to be modified as follows, in order to enter the pseudonym system, i.e., to register with the CA.

1′″″. U chooses a master secret keys SUM, and a second secret key SUCA, computes the public keys PUCA=ƒCA(SUM, SUCA), and sends PUCA to CA.

The step 2 has to be adapted to register with Oi and to obtain a credential from Oi, i>1, that is, steps 2a and 2b are as follows. Note that it can be decided separately for each execution of step 2 whether local revokability is required or not, i.e., whether the step is executed with the additions below, or not.

2b″″″. U proves to Oi that it established a public key with Oj, that the corresponding secret key is encrypted in e1(Oi,Oj) under the public key PUOi and that U owns a credential by Oj (w.r.t. the public key U established with Oj). More formally, U proves V the following
PK{(α, β, γ, δ, ε, ξ):α=ƒOj(ε, β)Λe1(Oi,Oj)=EncPUOi(β, γ)Λ1=Ver(α, δ, POj)ΛPUOi=ƒOi(ε, ξ)}

Note that because the master secret key is the same for all pseudonyms, it is not needed to encrypt it in e1(Oi,Oj).

Showing a credential to a verifier V (Multiple show) works as follows:

1″″″U proves to V that it established a public key with Oj, and that U owns a designated verifier credential by Oj. More formally, U proves Oi the following
PK{(α, β, γ, δ):α=ƒOj(β, γ)Λ1=Ver(α, δ, POj)}

The fact that now pseudonyms of the same users contain the same master secret key allows a user to prove possession of several credential without first establishing a pseudonym with the verifier. Assume that U wants to prove V possession of credentials be Oj and Ok. Then third method becomes as follows.

1′″″″. U proves to V that it established a public key with Oj and Ok, and that U owns a designated verifier credential by Oj and Ok More formally, U proves Oi the following
PK{(α, β, γ, δ, ε, ζ, η):α=ƒOj(β,γ)Λ1=Ver(α,δ,POj)Λε=ƒOk(β, ζ)Λ1=Ver(ε, η,POj)}

For the adaptions described in this section, it should obvious how the methods look like when combined with the other extensions.

Encoding an expiration date or other personalized attribute into a credential can be done in several ways. They could be encoded in the users' secret key SUOi, the public keys PUOi, or into the actual credential itself, e.g., cUOi=Sig(PUOi∥attr, POi), where attr stands for the attribute that is checked. Thus, whenever a user proves the possession of a credential, he needs also to prove that the required attr is properly encoded. For the latter, the term 1=Ver(α, δ,POj) in the various PK's would become 1=Ver(α∥attr, δPOj).

If the showing methods are interactive, the party to whom a user proves possession of a credential cannot convince a third party that the method actually took place. This is due to the zero-knowledge property of the PK (sub-)methods. In case it is required that a third party can be convinced that a method took place, one can turn the PK submethods into the corresponding non-interactive SPK's. The message m that gets signed with such a SPK should contain all relevant information related to the respective instance of the showing method.

A scheme is said to provide pseudonymity only, if different showing of credentials are linkeable and non-anonymous. Our system can be used in such a way, if we require that whenever a users proves possession of a credential he also provides the public key established with the issuing organization and the credential in clear.

Previous pseudonym systems obtained PKI-assured non-transferability by requiring that all secret keys of users are constructed such each of them contains as a part the “external secret key” SUPKI. Thus, when a user transfers a credential he necessarily also needs to transfer the external secret key. This mechanism could of course also be used in our scheme (and be combined with the all-or-nothing transferability or any of the other features we described). If this mechanism is used the encryptions e1(Oj,Oi) would no longer be necessary.

In the following we provide a description of how the credential system can be implement more efficiently. Before we can do so, however, we need to provide some building blocks.

Our construction is based on the decisional Diffie-Hellman assumption and the strong RSA assumption. It is provably secure in the random oracle model. In this section, we outline some of the less well-known technical points that will be used when we describe our protocols.

The flexible RSA problem is the following. Let n=pq be a randomly generated RSA modulus. Let a random element z from

n* be given. Find an element uε

n* and a number eε

>1 such that z≡ue (mod n). The strong RSA assumption (SRSA) is that this problem is hard to solve. It is stronger than the traditional RSA assumption which states that given a modulus n and an exponent e it is hard to find u, zε

n* such that z≡ue (mod n). Although both assumptions are stronger than assuming integer factorization to be hard, the only known way of solving the respective problems involves factoring the modulus.

The strong RSA assumption was independently introduced by Barić and Pfitzmann (Barić and Pfitzmann, 1997) and by Fujisaki and Okamoto (Fujisaki and Okamoto, 1997) and has subsequently proved instrumental for constructing existentially unforgeable signature schemes secure against adaptive chosen message attacks (Cramer and Shoup, 1999; Gennaro et al., 1999), and for constructing other important primitives such as group signatures (Ateniese et al., 2000; Camenisch and Michels, 1998) and verifiable secret sharing (Fujisaki and Okamoto, 1998).

Let G=(g) denote a group of prime order q. The most basic protocol we consider is a zero-knowledge proof of knowledge of the discrete logarithm of some group element yεG to the base g (Chaum et al., 1988; Schnorr, 1991). We shortly recall this protocol and its properties: The prover knowing x=loggy sends the verifier the commitment t:=gr, where rεR

q. Then, the verifier sends the prover a random challenge cεR{0, 1}k which he answers with the response s:=r−cx (mod q). (The integer k≧1 is a security parameter.) The verifier accepts if t=gsyc. Triples (t, c, s) with t=gsyc are called accepting triples. As x=loggy can be computed from two accepting triples (t, c, s) and (t, ċ,{dot over (s)}) with c≠ċ, i.e., x:=(s−{dot over (s)})(ċ−c)−1 (mod q), this protocol is a proof of knowledge of loggy. Furthermore, the protocol is honest-verifier zero-knowledge.1 Using notation from (Camenisch and Stadler, 1997), this protocol is denoted
PK{(α):y=gα},
which can be read as “zero-knowledge Proof of Knowledge of α value a such that y=gα holds.” The convention is that Greek letters denote the quantity the knowledge of which is being proved, while all other parameters are known to the verifier. Using this notation, the proof can be described by just pointing out its aim while hiding all details. This helps to see what is proved and to understand the design of higher-level protocols. 1Thus it can be made zero-knowledge by requiring the verifier to commit to the challenge before she receives the prover's commitments.

These kinds of proofs of knowledge (PK) can be turned into signature schemes by the so-called Fiat-Shamir heuristic (Fiat and Shamir, 1987). That is, the prover determines the challenge c by applying a collision-resistant hash-function H to the commitment t and the message m that is signed, i.e., c=H(t, m), and then computes the response as usual. The resulting signature consists of the challenge and the response. We denote such Signature schemes based on a zero-knowledge Proof of Knowledge (SPK) similarly as the PK's, e.g., SPK{(α):y=gα}(m). Such SPK's can be proved secure in the random oracle model (Bellare and Rogaway, 1993; Pointcheval, 1996) given the zero-knowledge and validity (soundness) properties of the underlying PK's.

In this paper we apply such PK's and SPK's to the group of quadratic residues modulo a composite n, i.e., G=QRn. This choice for the underlying group has some consequences. First, the protocols are proofs of knowledge under the strong RSA assumption (Fujisaki and Okamoto, 1997). Second, the largest possible value 2k−1 of the challenge c must be smaller that the smallest factor of G's order. This issue can be addressed by assuring that n is the product of two equal-sized safe primes, i.e., primes p and q such that p′ (p−1)/2 and q′=(q−1)/2 are prime (such p′ and q′ are called Sophie Germain primes). Then the order of QRn will be p′q′ and values k<(log√{square root over (n)})−4 are fine. Third, soundness needs special attention in case the verifier is not equipped with the factorization of n as then deciding membership of QRn is believed to be hard. Thus the prover needs to convince the verifier that the elements he presents are indeed quadratic residues, i.e., that the square roots of the presented elements exist. This can in principle be done with a protocol by Fiat and Shamir (Fiat and Shamir, 1987). However, often it is sufficient to simply execute PK{(α):y2=(g2)α} instead of PK{(α):y=gα}. The quantity a is defined as logg2y2, which is the same as loggy in case y is a quadratic residue.

The following lists and reviews briefly those extensions of the basic PK{(α):y=gα} that we need as building blocks. We also cast these extensions in the notation explained above.

A proof of equality of discrete logarithms of two group elements y1, y2εG to the bases gεG and hεG, respectively, (Chaum, 1991; Chaum and Pedersen, 1993) is denoted PK{(α):y1=gαΛy2=hα}. Generalizations to prove equalities among representations of the elements y1, . . . , ywεG to bases g1, . . . , gυεG are straight forward (Camenisch and Stadler, 1997).

A proof of knowledge of a discrete logarithm of yεG with respect to gεG such that loggy that lies in the integer interval [a, b] is denoted by PK{(α):y=gαΛαε[a, b]}. Under the strong RSA assumption and if it is assured that the prover is not provided the factorization of the modulus (i.e., is not provided the order of the group) this proof can be done efficiently (Boudot, 2000) (it compares to about six ordinary PK{(α):y=gα}.)

The previous protocol can also be used to prove that the discrete logarithms of two group elements y1εG1, y2εG1 to the bases g1εG1 and g2εG2 in different groups G1 and G2 are equal (Brickell et al., 1988; Camenisch and Michels, 1999b). Let the order of the groups be q1 and q2, respectively. This proof can be realized only if both discrete logarithms lie in the interval [0, min{q1, q2}]. The idea is that the prover commits to the discrete logarithm in some group, say G=(g)=(h) the order of which he does not know, and then execute PK{(α, β):y1G1g1αΛy2G2g2αΛCGgαhβΛαε[0,min{q1, q2}]}, where C is the commitment.

This kind of protocol generalizes to several different groups, to representations, and to arbitrary modular relations.

Verifiable encryption is a two-party protocol between a prover and encryptor P and a verifier and receiver V. Their common inputs are a public encryption key E, a public value υ, and a binary relation R on bit strings. As a result of the protocol, V either rejects or obtains the encryption e of some value s under E such that (s, υ)εR. For instance, R could be the relation (s, gs)⊂

q×G. The protocol should ensure that V accepts an encryption of an invalid s only with negligible probability and that V learns nothing beyond the fact that the encryption contains some s with (s, υ)εR. The encryption key E typically belongs to a third party, which is not involved in the protocol at all.

Generalizing the protocol of Asokan et al. (Asokan et al., 2000), Camenisch and Damg{dot over (a)}rd (Camenisch and Damg{dot over (a)}rd, 1998) provide a verifiable encryption scheme for all relations R that have an honest-verifier zero-knowledge three-move proof of knowledge where the second message is a random challenge and the witness can be computed from two transcripts with the same first message but different challenges. This includes most known proofs of knowledge, and all proofs about discrete logarithms from the previous section in particular.

Their verifiable encryption schemes is itself a three-move proof of knowledge of the encrypted witness s and is computationally zero-knowledge if a semantically secure encryption scheme is used (Camenisch and Damg{dot over (a)}rd, 1998).

The basic idea of their scheme is that the prover starts the PK protocol for the relation he wants to prove, i.e., computes the commitment t. Then, he computes the responses so and s1 to the challenges c=0 and c=1, encrypts these two responses under public key E, and sends these encryptions to the verifier. Receiving these, the verifier randomly chooses one of them and asks the prover to open it, thus obtaining a response to either c=0 or c=1. Finally the verifier accepts if the response is valid in the PK protocol w.r.t. the corresponding challenge. This procedure needs to be repeated sufficiently many times to obtain validity (i.e., such that the verifier is assured that at least on of the unopened encryptions also contains a valid response). It is easy to see that, assuming that the adversary will never gain access to the secret key for the underlying encryption scheme, the protocol is computational zero-knowledge if the PK is so and the encryption scheme is semantically secure. On the other hand, if the third party opens the second encryption as well, one gets two accepting triples and hence can compute the witness by the properties of the underlying PK. We refer to Camenisch and Damg{dot over (a)}rd (Camenisch and Damg{dot over (a)}rd, 1998) for further details and efficiency improvements.

We use a similar notation for verifiable encryption as for the PK's and denote by, e.g.,
e:=VE(ElGamal,(g, y)){ξ:υ=gξ}
the verifiable encryption protocol for the ElGamal scheme, whereby loggυ is encrypted in e under public key (y, g). Note that e is not a single encryption, but the verifier's entire transcript of the protocol and contains several encryptions, commitments and responses of the underlying PK.

Our scheme requires each user to encrypt each of her secret keys under one of her public keys, thereby creating “circular encryptions”. However, the definition of a semantically secure encryption scheme does not provide security for such encryptions. Moreover, it is not known whether circular security is possible under general assumptions. In this paragraph we provide for the first time a construction for an encryption scheme that provides security for circular encryptions in the random oracle model given any semantically secure encryption scheme.

As a basis for our circular encryption scheme, we use a variant of ElGamal encryption (ElGamal, 1985) where the public key P=axbυ is derived from two bases a and b (of possibly unknown order) and two secret keys x and y. This variant of the ElGamal cryptosystem is known to be semantically secure under the decisional Diffie-Hellman assumption The resulting circular encryption scheme is as follows. Let the order G=(a)=(b) be≈2l. To encrypt a message mε{0, 1}k, choose a random element r1εG and a random integer r2ε{0, 1}2l, and compute the encryption
(u, υ, w, z):=(Pr2r1, ar2, br2, H(r1)⊕m).

Decryption works by computing

ℋ(uvxwy)⊕z.

We denote this encryption scheme by CEIG and write, e.g., VE(CEIG, (H, a, b, P)){ξ: υ=gξ} when using it for verifiable encryption.

Our pseudonym system requires a prover to verifiably encrypt under a public key that is not revealed to the verifier, that is, the verifier gets to see only a commitment to this public key. Moreover, the prover knows the secret key corresponding to this public key.

Recall that verifiable encryption protocol described earlier demands that prover opens encryptions. In case the verifier knows the encryption public key, the prover can provably open an encryption just by providing the message and all random choices she made. The verifier then just re-runs the encryption algorithm and checks whether this results in the same encryption. In case the verifier does not know the encryption public key, however, this does not work. In the following we describe how the prover can nevertheless convince the verifier that an encryption contains the value she claims. We will use the same encryption scheme as in the previous section, i.e., P=axby serves as public key, and x and y as the corresponding secret keys. Let C=Pgr be the commitment to P, where g is a third random generator of G=(a)=(b), and let (u, υ, w, z)=(Pr2r1, ar2, br2, H(r1)⊕m) be an encryption of m as above. To convince the verifier that m is indeed encrypted in (u, υ, w, z) under the public key committed to by C, the prover reveals r1 and engages with the verifier in
PK{(α, β, γ, δ): C=aαbβgγΛυ=aδΛw=bδΛu/r1=υαwβ}.

The verifier further needs to check if z=H(r1)⊕m.

In the following, we write, e.g., VE(C-CEIG, (H, a, b, g, C)){ξ:υ=gξ} for verifiable encryption with committed encryption public key.

We first describe our basic pseudonym system with all-or-nothing and PKI-assured non-transferability. The basic system compromises protocols for a user to join the system, register with an organization, obtaining multi-show credentials, and showing such credentials. We will then describe extensions that allow for one-show credentials as well and for revocability.

Throughout we assume that the users and organizations are connected by perfectly anonymous channels. Furthermore, we assume that for each protocol the organizations authenticates itself towards the users and that they establish a secure channel between them for each session. For any protocol we describe, we implicitly assume that is some check or sub-protocol (e.g., some proof of knowledge PK) fails for some party, it informs the other participating parties of this and stops.

In the following we use CA and O0 as interchangeable names for the pseudonym system's certification authority.

Our basic system is composed of the protocols presented below in the following way.

System setup: The system parameters are agreed upon and all organizations (including the CA) choose their keys and make the public keys available. It is possible that organizations (apart from the CA join and leave at any time.

A User Joining the System/Registering with the CA:

1. User U identifies herself towards the CA who checks that she is eligible to join the system.

2. U chooses a random nym master secret xuεΓ.

3. They run Protocol 1 to establish U pseudonym PUCA with the CA.

4. Depending on whether we want to have PKI-assured non-transferability, U and CA run Protocol 5.

5. Oi grants U a credential, i.e., they run Protocol 2.

A User Registering with Organization Oi and Obtaining a Credential from Oi:

1. U and Oi run Protocol 1 to establish U pseudonym PUOi with Oi.

2. Let O be the set of organizations of which U must possess a credential in order to obtain a credential from Oi. For each OjεO, user U and Oi carry out Protocol 4.

3. The CA grants U a credential, i.e., they run Protocol 2.

Note that the above steps could be executed at different times.
A User Accessing a Service:

Case I. Assume that a U wants to access some service from V and that to do so U needs to hold a credential by Oj. If this is the case, U can access the service by executing Protocol 3 with V.

Case II. In case U is required to hold credential from a set O of organizations, U must first establish a pseudonym with V, i.e., run Protocol 1, and then run Protocol 4 for each OjεO. If it is understood that the established pseudonym is one-time, i.e., if U is not allowed to access the service again just be proving ownership of the established pseudonym, U and V need not execute the steps 4:3 and 4:2 of the latter protocol.

The system parameter and key generation work as follows. For simplicity we assume some common system parameter: the length of RSA moduli ln, the integer intervals Γ=−]−2lΓ, 2lΓ[, Δ=]−2lΔ, 2lΔ[, Λ=]2lΔ, 2lΔ+lΣ[ such that lΔ=ΔlΓ and lΓ=2ln, where Δ>1 is a security parameter, and 2lΛ>2(22lΓ+2lΓ+2lΔ), and 2(2lΣ(22lΓ+2lΔ)+2lΔ)<2lΛ.

Each organization Oi (including the CA) chooses random ln/2-bit primes p′O1, q′Oi such that pOi=2p′+1 and qOi=2q′+1 are prime and sets modulus nOi=pOiqOi. It also chooses random elements aOi, bOi, dOi, gOi, hOi, εQRnOi. It stores SOi:=(pOi, qOi) as its secret keys and publishes POi:=(nOi, aOi, bOi, dOi, gOi, hOi) as its public key together with a proof that nOi is the product of two safe primes (see (Camenisch and Michels, 1999a) for how the latter can be done) and that the elements aOi, bOi, dOi, gOi, hOi lie indeed in QRnOi, (this can be done by providing their roots; then, to check that an element s has order at least p′q′, one needs only to test whether gcd(s±1, nOi)=1).

This paragraph describes how a user U establishes a pseudonym with organization Oi.

Let xUεΓ be the U's nym master secret. In case Oi is the CA, i.e., U has no yet entered the system, U needs to choose a random xUεR Γ before entering the protocol below. We will see later how it is ensured that U uses the same xu with other organizations.

To establish a pseudonym PUOi with Oi, user U engages in Protocol 1 with Oi. The protocol assures that the established pseudonym is of the right form, i e.

PUOi=aOixUbOisUOi,
with xUεΓ and sUOiεΔ. The value sUOi is chosen by jointly by Oi and U but without Oi learning anything about both values. Note that this protocol does not assure that U uses the xU same xU as with other organizations as well; this is taken care of later in Protocol 4.

Let us explain the steps of this protocol in more detail. First, U commits to xU and to her contribution r1 to sUOi. She sends Oi these commitments and proves to Oi that she knows the committed values (this proof is necessary already at this point of the protocol for the security proof to work). After this, Oi chooses its contribution r to sUOi and sends it to U, who computes sUOi and PUOi sends PUOi to Oi, and proves that she computes PUOi correctly, i.e., that sUOi lies in Δ and is computed correctly from r and the value she committed to earlier in C2. For technical reasons, we consider P and {tilde over (P)} to be the same pseudonym if p2={tilde over (p)}2.

We now describe how a credential can be generated efficiently.

A credential a pseudonym P issued by Oi is a pair (c, e) ε

*nOi such that (PdOj)e≡c (mod nOi). To generate a credential on a priorly established pseudonym PUOi, organization Oi and user U carry out the following protocol.
Protocol 2.

2:1. U identifies as owner of PUOi by engaging in protocol PK{(α, β): (PUOi)2=(aOi2)α(bOi2)β} with Oi.

2:2. Oi looks up PUOi, chooses a random prime eUOiεRΛ, computes

cUOi=(PUOidOi)1/eUOi

mod nOi, sends cUOi to U, and stores cUOi together with PUOi.

2:3. U checks whether

cUOieUOi≡PUOidOi(modnOi)

and stores (cUOi, eUOi) together with PUOi.

Step 2:1 can of course be omitted if the Protocol 2 takes place in the same session as some other protocol where U already proved ownership of PUOi.

The following paragraph describes how showing a single credential can be implemented efficiently.

Assume a user U wants to prove possession of a certificate by organization Oj to a verifier V. They engage in the following protocol.

The PK in step 3:2 proves that U possess a credential issued by Oi on some pseudonym registered with Oj.

The following paragraph describes how showing a credential with respect to a pseudonym can be implemented efficiently.

Assume a user U wants to prove possession of a certificate by organization Oj to an organization Oi with whom U established PUOi. That means Oi not only wants to be assured that U owns a credential by Oj but also that the pseudonym connected with this credential contains on the same master secret key as PUOi. Moreover, the protocol also assures that if U would give the secrets of PUOi to one of her friends, then she would also reveal the secret keys of the pseudonym established with Oj and vice versa, whereby all-or-nothing transferability gets assured. Thus U and Oi engage in the following protocol (in which we assume that Oi has already established that PUOiεQRnOi).

The first two steps of this protocol are similar to the ones of Protocol 3, the difference being that here U also commits in C to the pseudonym established with Oj, and proving that this is indeed the case. This commitment is need for the encryption is step 4:3. In this step all-or-nothing transferability is achieved by (1) verifiably encrypting the secrets keys of the pseudonym U established with Oj using PUOi as the encryption public key (cf. Section ) and (2) verifiably encrypt the secret keys of PUOi using the pseudonym committed in C2 as encryption public key (cf. Section ).

In case we want to have PKI-assured non-transferability only, the steps 4:3 and 4:2 can be omitted. Furthermore, C is not necessary either and can be dropped.

In this paragraph we show how to ensure that if a user gives away his master secret xU, then he will also reveal the secret key of an “external” valuable public key PKU. This is achieved by having the CA ask for this public key PKU and check whether this is the user's public key (e.g., via some external certificate) and then require the user to verifiable encrypt the corresponding secret key such that it can be

We give an example for how this protocol look in case that U external public key YU is discrete logarithm based, i.e., YU=gx for some generator g. Other cases are similar.

Protocol 5.

5:1. U sends YU and g to CA together with the certificate on YU of the external PKI. The CA checks the validity of YU.

The following describes how one show credentials can be implemented efficiently. The credential we considered so far can be shown an unlimited number of times. However, for some services it might be required that a credential can only be used once. Of course, one possibility would be that a user just reveals the credential to the verifier in clean. This, however, would mean that the user is not fully anonymous any more as the verifier and the organization then both know the credential and thus can link the transaction to the user's pseudonym. Traditionally this problem has been solved using so-called blind signatures (Chaum, 1983). Here, we provide a novel and alternative way to approach this problem, i.e., instead of blinding the signer we blind the verifier. This approach could also be used to implement anonymous e-cash (just consider a credential to be money).

In the following we describe the general idea how it is realized. The resulting changes that would have to be made to the individual protocol we do not provide.

Each organization published an additional provably random generator zOiεQRnOi.

A user's pseudonym is formed slightly different:

PUOi=aOixUbOisUOizOirUOi,
where rUOi is chosen be Oi and U together in the same way as is sUOi.

Credential are issued in the very same way as before, i.e., U obtains cUOi and eUOi such that

cUOieUOi≡PUOidOi(modnOi)holds.

When proving possession of a one-show credential issued by Oj (with respect to a pseudonym or not), the user provides the verifier V (which might be an organization) the value

HUOj=hOjrUOj
and proves that it is formed correctly w.r.t. to the pseudonym U established with Oj. Of course, the various PK's in these protocols have to be adapted to reflect the different form of the pseudonym U holds with Oj.

Now, different usages of the same credential can be linked to each other but not to the user's pseudonym with the issuing organization. This allows to prevent users from using the same credential several times, if the verifier checks with the issuing organization whether HUOj was already used or not, similar as it is done for anonymous “on-line” e-cash. Off-line checking could be done as well. As here double usage can only be detected but not prevented, a mechanism for identifying “double-users” is required. This could for instance be achieved using revocation as described in the previous section, or using similar techniques that are used in for anonymous “off-line” e-cash (e.g., (Brands, 1993)). The latter could be done such that using a one-show credential twice would expose the user's secret keys connected with corresponding pseudonym. Together with non-transferability this would be quite a strong incentive for the users not to use one-show credentials twice.

We now describe how local and global revocation can be implemented efficiently. To enable local and global revocation each organization needs a revocation manager. Given the transaction of a protocol where some user proved possession of a credential issued by organization Oi, this organization's revocation manager Ri will have the task to reveal the pseudonym under which the user is known to Oi Each of these managers needs to choose keys of some non-malleable public key encryption scheme. The managers' public keys become part of the respective organizations' public keys. In the following we describe how the protocols for proving possession of a credential must be adapted such that local revocation is possible using Cramer-Shoup encryption (Cramer and Shoup, 1998). We then discuss global revocation. We remark that it can be decided at the time when the possession of a credential is proved whether local and/or global revocation shall be possible for the transaction at hand.

Setup: Each Ri chooses a group HRi of (large) prime order qRi, two provably random generators gRi and hRi, and five secret keys x(1,Ri), . . . , x(5,Ri)εR

qRi and computes

(y(1,Ri),y(2,Ri),y(3,Ri)):=(gRix(1,Ri)hRix(2,Ri),gRix(3,Ri)hRix(4,Ri),gRix(5,Ri))
as his public key.

Let mj be some agreed-upon text describing under which condition Rj is allowed to revoke the anonymity of the transaction of which the current execution of Protocol 3 or 4 is part of, respectively. In the following we provide the steps to be executed after Protocol 3 or 4 in order to get local and/or global revocation.

Camenisch, J. and Michels, M. (1999a). Proving in zero-knowledge that a number n is the product of two safe primes. In Stern, J., editor, Advances in Cryptology—EURO-CRYPT '99, volume 1592 of Lecture Notes in Computer Science, pages 107-122. Springer Verlag.